Deeplinks Blog posts about Security

On this day in 1993, the Clinton White House introduced the Clipper Chip, a plan for building in hardware backdoors to communications technologies. The chip would be used in American secure voice equipment, giving law enforcement agencies the explicit ability to decrypt its traffic using a key stored by the government. The White House promised that only law enforcement with proper "legal authorization" could access that key—and thus, the contents of the communications.

One of EFF's first major legal victories was Bernstein v. Department of Justice, a landmark case that resulted in establishing code as speech and changed United States export regulations on encryption software, paving the way for international e-commerce. We represented Daniel J. Bernstein, a Berkeley mathematics Ph.D. student, who wished to publish an encryption algorithm he developed, the source code for a program to run the algorithm, and a mathematical paper describing and explaining the algorithm.

A security flaw in New South Wales’ Internet voting system may have left as many as 66,000 votes vulnerable to interception and manipulation in a recent election, according to security researchers. Despite repeated assurances from the Electoral Commission that all Internet votes are “fully encrypted and safeguarded,” six days into online voting, Michigan Computer Science Professor J. Alex Halderman and University of Melbourne Research Fellow Vanessa Teague discovered a FREAK flaw that could allow an attacker to intercept votes and inject their own code to change those votes, all without leaving any trace of the manipulation.

Apple, that’s who. Or Microsoft, or any of the other vendors whose products US government contractors have successfully exploited according to a recent report in the Intercept. While we’re not surprised that the Intelligence Community is actively attempting to develop new spycraft tools and capabilities—that’s their job—we expect them to follow the administration’s rules of engagement. Those rules require an evaluation under what’s known as the “Vulnerabilities Equities Process.” In the White House’s own words, the process should usually result in disclosing software vulnerabilities to vendors, because “in the majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest.”

Cyber, Cyber, Cyber. The word makes most technical people cringe but it’s all the rage right now in DC and other policy circles. The rallying calls are now familiar and the central pitch is that private entities and networks—the buzzword is “critical infrastructure”—should be strongly incentivized to “share” information with the government. In other words, providers should surrender more of their and their customers’ privacy. There’s much danger there and EFF continues to sound the alarm.